|
Cross-session PubSub topic injection via URL parameter in phoenix_storybook
|
pkg:hex/phoenix_storybookpkg:github/phenixdigital/phoenix_storybook
|
CVE-2026-47068
|
20 May 2026 |
22 May 2026 |
|
Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
|
pkg:hex/phoenix_storybookpkg:github/phenixdigital/phoenix_storybook
|
CVE-2026-8467
|
20 May 2026 |
22 May 2026 |
|
Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook
|
pkg:hex/phoenix_storybookpkg:github/phenixdigital/phoenix_storybook
|
CVE-2026-8469
|
20 May 2026 |
22 May 2026 |
|
Unbounded buffer accumulation in multipart header parsing causes denial of service in plug
|
pkg:hex/plugpkg:github/elixir-plug/plug
|
CVE-2026-8468
|
14 May 2026 |
15 May 2026 |
|
Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame
|
pkg:hex/cowlibpkg:github/ninenines/cowlib
|
CVE-2026-43970
|
13 May 2026 |
15 May 2026 |
|
Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy
|
pkg:hex/cowboypkg:github/ninenines/cowboy
|
CVE-2026-8466
|
13 May 2026 |
14 May 2026 |
|
HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit
|
pkg:hex/banditpkg:github/mtrudel/bandit
|
CVE-2026-39806
|
13 May 2026 |
13 May 2026 |
|
HTTP/1 chunked body reader ignores length cap in bandit
|
pkg:hex/banditpkg:github/mtrudel/bandit
|
CVE-2026-39803
|
13 May 2026 |
13 May 2026 |
|
SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3
|
pkg:hex/postgrexpkg:github/elixir-ecto/postgrex
|
CVE-2026-32687
|
12 May 2026 |
13 May 2026 |
|
CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1
|
pkg:hex/cowlibpkg:github/ninenines/cowlib
|
CVE-2026-43968
|
11 May 2026 |
12 May 2026 |
|
Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS
|
pkg:hex/cowlibpkg:github/ninenines/cowlib
|
CVE-2026-7790
|
11 May 2026 |
12 May 2026 |
|
Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1
|
pkg:hex/cowlibpkg:github/ninenines/cowlib
|
CVE-2026-43969
|
11 May 2026 |
12 May 2026 |
|
Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
|
pkg:hex/absinthepkg:github/absinthe-graphql/absinthe
|
CVE-2026-42793
|
08 May 2026 |
09 May 2026 |
|
Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
|
pkg:hex/absinthe_plugpkg:github/absinthe-graphql/absinthe_plug
|
CVE-2026-42794
|
08 May 2026 |
16 May 2026 |
|
Quadratic fragment-name uniqueness check causes denial of service in absinthe
|
pkg:hex/absinthepkg:github/absinthe-graphql/absinthe
|
CVE-2026-43967
|
08 May 2026 |
09 May 2026 |
|
Unbounded exponent in decimal enables unauthenticated DoS
|
pkg:hex/decimalpkg:github/ericmj/decimal
|
CVE-2026-32686
|
07 May 2026 |
09 May 2026 |
|
Long-poll NDJSON body splitting causes unbounded memory allocation in Phoenix
|
pkg:hex/phoenixpkg:github/phoenixframework/phoenix
|
CVE-2026-32689
|
05 May 2026 |
07 May 2026 |
|
CL.CL HTTP request smuggling via duplicate Content-Length in bandit
|
pkg:hex/banditpkg:github/mtrudel/bandit
|
CVE-2026-39805
|
01 May 2026 |
04 May 2026 |
|
WebSocket permessage-deflate inflate has no output-size cap in bandit
|
pkg:hex/banditpkg:github/mtrudel/bandit
|
CVE-2026-39804
|
01 May 2026 |
13 May 2026 |
|
Client-supplied URI scheme trusted without transport verification in bandit
|
pkg:hex/banditpkg:github/mtrudel/bandit
|
CVE-2026-39807
|
01 May 2026 |
04 May 2026 |
|
WebSocket fragmented message reassembly unbounded in bandit
|
pkg:hex/banditpkg:github/mtrudel/bandit
|
CVE-2026-42786
|
01 May 2026 |
04 May 2026 |
|
HTTP/2 frame size limit checked after body is buffered in bandit
|
pkg:hex/banditpkg:github/mtrudel/bandit
|
CVE-2026-42788
|
01 May 2026 |
04 May 2026 |
|
Lockfile checksums not verified in Hex allows dependency integrity bypass
|
pkg:otp/hexpkg:github/hexpm/hex
|
CVE-2026-32148
|
30 April 2026 |
01 May 2026 |
|
Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy
|
pkg:hex/plug_cowboypkg:github/elixir-plug/plug_cowboy
|
CVE-2026-32688
|
27 April 2026 |
29 April 2026 |
|
SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT
|
pkg:otp/sshpkg:github/erlang/otp
|
CVE-2026-32147
|
21 April 2026 |
22 April 2026 |
|
Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification
|
pkg:sid/gleam.run/gleampkg:github/gleam-lang/gleampkg:oci/gleam
|
CVE-2026-32146
|
11 April 2026 |
04 May 2026 |
|
ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)
|
pkg:otp/inetspkg:github/erlang/otp
|
CVE-2026-28808
|
07 April 2026 |
07 April 2026 |
|
OCSP designated-responder authorization bypass via missing signature verification
|
pkg:otp/public_keypkg:otp/sslpkg:github/erlang/otp
|
CVE-2026-32144
|
07 April 2026 |
07 April 2026 |
|
Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver
|
pkg:otp/kernelpkg:github/erlang/otp
|
CVE-2026-28810
|
07 April 2026 |
08 April 2026 |
|
Multipart form body parser bypasses body size limits in wisp
|
pkg:hex/wisppkg:github/gleam-wisp/wisp
|
CVE-2026-32145
|
02 April 2026 |
07 April 2026 |
|
XXE in esaml SAML library allows local file read and potential SSRF
|
pkg:hex/esamlpkg:github/arekinath/esamlpkg:github/handnot2/esamlpkg:github/dropbox/esamlpkg:github/Jump-App/esaml
|
CVE-2026-28809
|
23 March 2026 |
07 April 2026 |
|
Denial of Service via Oversized Package Upload
|
pkg:github/hexpm/hexpmhexpm / hex.pm
|
CVE-2026-23940
|
13 March 2026 |
06 April 2026 |
|
Request smuggling via first-wins Content-Length parsing in inets httpd
|
pkg:otp/inetspkg:github/erlang/otp
|
CVE-2026-23941
|
13 March 2026 |
07 April 2026 |
|
Pre-auth SSH DoS via unbounded zlib inflate
|
pkg:otp/sshpkg:github/erlang/otp
|
CVE-2026-23943
|
13 March 2026 |
07 April 2026 |
|
SFTP root escape via component-agnostic prefix check in ssh_sftpd
|
pkg:otp/sshpkg:github/erlang/otp
|
CVE-2026-23942
|
13 March 2026 |
07 April 2026 |
|
Path Traversal in wisp.serve_static allows arbitrary file read
|
pkg:hex/wisppkg:github/gleam-wisp/wisp
|
CVE-2026-28807
|
10 March 2026 |
06 April 2026 |
|
Improper authorization in device bulk actions and device update API allows cross-organization device control
|
pkg:otp/nerves_hubpkg:oci/nerves-hubpkg:github/nerves-hub/nerves_hub_web
|
CVE-2026-28806
|
10 March 2026 |
06 April 2026 |
|
Password Reset Tokens Do Not Expire
|
pkg:github/hexpm/hexpmhexpm / hex.pm
|
CVE-2026-21622
|
05 March 2026 |
21 April 2026 |
|
Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
|
pkg:github/hexpm/hexpmhexpm / hex.pm
|
CVE-2026-21621
|
05 March 2026 |
06 April 2026 |
|
Unsafe Deserialization of Erlang Terms in hex_core
|
pkg:github/hexpm/hex_corepkg:hex/hex_corepkg:github/hexpm/hexpkg:otp/hexpkg:github/erlang/rebar3pkg:otp/rebar3
|
CVE-2026-21619
|
27 February 2026 |
06 April 2026 |
|
Path Traversal in Local File Store Backend
|
|
CVE-2026-23939
|
26 February 2026 |
07 April 2026 |
|
TFTP Path Traversal
|
pkg:github/erlang/otppkg:otp/inetspkg:otp/tftp
|
CVE-2026-21620
|
20 February 2026 |
07 April 2026 |
|
Cross-site scripting (XSS) in OAuth Device Authorization screen
|
pkg:github/hexpm/hexpmhexpm / hex.pm
|
CVE-2026-21618
|
19 January 2026 |
06 April 2026 |
|
Authorization bypass when bypass policy condition evaluates to true
|
pkg:hex/ashpkg:github/ash-project/ash
|
CVE-2025-48044
|
17 October 2025 |
16 April 2026 |
|
Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization
|
pkg:hex/ashpkg:github/ash-project/ash
|
CVE-2025-48043
|
10 October 2025 |
06 April 2026 |
|
SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles
|
pkg:otp/sshpkg:github/erlang/otp
|
CVE-2025-48041
|
11 September 2025 |
07 April 2026 |
|
Malicious Key Exchange Messages may Lead to Excessive Resource Consumption
|
pkg:otp/sshpkg:github/erlang/otp
|
CVE-2025-48040
|
11 September 2025 |
06 April 2026 |
|
Unverified Paths can Cause Excessive Use of System Resources
|
pkg:otp/sshpkg:github/erlang/otp
|
CVE-2025-48039
|
11 September 2025 |
07 April 2026 |
|
Unverified File Handles can Cause Excessive Use of System Resources
|
pkg:otp/sshpkg:github/erlang/otp
|
CVE-2025-48038
|
11 September 2025 |
07 April 2026 |
|
Before action hooks may execute in certain scenarios despite a request being forbidden
|
pkg:hex/ashpkg:github/ash-project/ash
|
CVE-2025-48042
|
07 September 2025 |
06 April 2026 |
|
Missing Session Revocation on Logout in ash_authentication_phoenix
|
pkg:hex/ash_authentication_phoenixpkg:github/team-alembic/ash_authentication_phoenix
|
CVE-2025-4754
|
17 June 2025 |
06 April 2026 |
|
Absolute path traversal in zip:unzip/1,2
|
pkg:otp/stdlibpkg:github/erlang/otp
|
CVE-2025-4748
|
16 June 2025 |
06 April 2026 |